@aitne-sh/aitne 0.1.3 → 0.1.5

package/README.md

@@ -62,11 +62,11 @@ Three things make Aitne different:
 
 ---
 
-## A day with Aitne (live demo)
+## A day with Aitne
 
 > A real walkthrough of one user's Tuesday.
 
-**04:00 — While you sleep.** Aitne reads yesterday's handoff, your calendar for today, the last 24 hours of mail across 4 accounts, new commits in 3 repos, and the 7 pending observations from Notion. It generates `today.md` and queues a Morning Briefing DM for after quiet hours end.
+**04:00 — While you sleep.** Aitne reads yesterday's handoff, your calendar for today, the last 24 hours of mail across your accounts, new commits in your repos, and the pending observations from Notion. It generates `today.md` and queues a Morning Briefing DM for after quiet hours end.
 
 **07:30 — Slack DM lands as you grab coffee:**
 > Good morning. 3 things to flag:
@@ -77,7 +77,7 @@ Three things make Aitne different:
 > Today: 2 meetings, 4 tasks. Light day. Reply `end` to close, or just talk to me.
 
 **09:15 — You DM Aitne:** *"Tell Sarah I'll review by 11. And book lunch with Mark on Thursday — somewhere near his office."*
-Aitne drafts the Slack reply to Sarah, finds 3 lunch slots Thursday, checks Mark's last 5 lunch venues from your Notion `people.md`, suggests Tartine. You confirm. Done.
+Aitne drafts the Slack reply to Sarah, finds 3 lunch slots Thursday, checks Mark's last 5 lunch venues from your `people.md`, suggests Tartine. You confirm. Done.
 
 **11:30 — Hourly check fires.** A new commit in your repo modified the API contract you're about to ship. Aitne adds a note to `Agent Notes` on `today.md` and DMs once: *"⚠️ Heads up — `auth.ts:84` was just changed by @Yuki. Want me to summarize the diff?"*
 
@@ -112,19 +112,20 @@ A non-exhaustive list. Click any group to expand.
 <details>
 <summary><b>📧 Mail across all your accounts</b></summary>
 
-- Unified inbox across Gmail, Outlook, Yahoo, iCloud, and any IMAP server
+- Unified inbox across Gmail, Outlook, Yahoo, and iCloud (OAuth or app-password / IMAP)
 - Local FTS5 full-text search across **every** account ("find emails about acme last quarter")
-- Auto-classify, label, and archive (Gmail)
+- Auto-classify, label, and archive (Gmail) — full filter rules across all providers
 - Draft replies in your style ("draft a polite no to this conference invite")
 - Forwarded receipts → auto-extracted to a structured `receipts` table tagged with category, vendor, amount
 - Daily digest of unread mail in the morning briefing
+- IMAP IDLE for near-real-time delivery; PDF/image attachments are extracted and indexed
 </details>
 
 <details>
 <summary><b>📓 Knowledge: Obsidian, Notion, your own notes</b></summary>
 
 - Use your existing Obsidian vault as Aitne's primary memory store — wiki-links keep working
-- Append to your daily note via the official Obsidian CLI
+- Append to your daily note via the official Obsidian CLI (`obsidian create` / `daily:append`)
 - Full Notion page & database CRUD — query, create, update, archive
 - "Summarize what I wrote about this project last month" — across vault layers
 - Auto-link new notes to existing concepts ("this is related to your `agent-architecture.md` from March")
@@ -134,10 +135,11 @@ A non-exhaustive list. Click any group to expand.
 <summary><b>📦 Code, Git, GitHub</b></summary>
 
 - Local Git: `git log`, `git diff`, `git show` exposed via daemon proxy
-- GitHub: PR lists, comments, issues, webhook receivers
+- GitHub: PR lists, comments, issues, webhook receivers (HMAC-verified)
 - Per-repo cron triggers — "every Monday at 09:00, summarize merged PRs into `projects/<repo>.md`"
 - "Why did this build break?" — agent reads CI status + diff + traces
 - Auto-detect when a coworker modified a file you're about to ship
+- Unified Repositories: one row pairs a local clone with a GitHub remote; the doctor flags drift
 </details>
 
 <details>
@@ -146,17 +148,18 @@ A non-exhaustive list. Click any group to expand.
 - Unified task view across GitHub Issues, mail-derived TODOs, and your own `today.md`
 - Per-project Markdown files with auto-maintained status, deadlines, and people
 - Long-term roadmap with quarterly milestones
-- "Carry this to tomorrow" — handoff between today.md, daily/, weekly/, monthly/
+- "Carry this to tomorrow" — handoff between `today.md`, `daily/`, `weekly/`, `monthly/`
 - Auto-detect recurring chores and set up reminders
 </details>
 
 <details>
-<summary><b>📚 Reading, learning, lifestyle</b></summary>
+<summary><b>📚 Reading, lifestyle, voice</b></summary>
 
 - Import Kindle highlights, build a reading-taste profile
 - Friday book recommendation DM based on your taste
-- Receipts auto-organized by month into your Obsidian vault
+- Receipts auto-organized by month into your vault
 - Travel itinerary roll-up surfaced before each trip
+- **Voice attachments** — send a voice memo, get a Whisper-transcribed message (opt-in, runs locally)
 </details>
 
 <details>
@@ -232,7 +235,7 @@ flowchart TB
 **Key properties:**
 
 - **Plain Markdown.** You can `cat`, `vim`, `obsidian`, or `cp` any of these files. There is no proprietary format. Uninstall and the memory is still yours.
-- **Layered retention.** `today.md` rotates to `yesterday.md` once per agent-day. `daily/` files are persistent by design (synthesized journal). `weekly/` is pruned after 1 year (the monthly review rolls it up). `agent/journal.md` keeps the most recent ~12 weekly + 24 monthly sections. SQLite-backed history (messages, agent_actions, dm_conversation_log) is pruned after 90 days.
+- **Layered retention.** `today.md` rotates to `yesterday.md` once per agent-day. `daily/` files are persistent by design (synthesized journal). `weekly/` is pruned after 1 year. `agent/journal.md` keeps the most recent ~12 weekly + 24 monthly sections. SQLite-backed history (messages, agent_actions) is pruned after 90 days.
 - **Always-injected context.** Every session starts with `user/profile.md` + `rules/management.md` + `today.md` already loaded — the agent never has to "search for context."
 - **You can always intervene.** Edit any file by hand. The agent picks up your changes on the next routine.
 
@@ -266,20 +269,12 @@ graph LR
 
 Every interaction shapes Aitne's understanding of you, *implicitly*. No buttons. No surveys. Just talk to it.
 
-```mermaid
-flowchart LR
-    A["📨 Pre-Action<br/>read user/profile.md<br/>inject preferences"] --> B["🤖 Action<br/>generate response<br/>in your style"]
-    B --> C["👁️ Post-Action<br/>Signal Detector logs:<br/>· ignored notifications<br/>(no reply within 30 min)<br/>· correction phrases<br/>(shorter, in Japanese, …)"]
-    C --> D["🌆 Evening Review<br/>raw signals → character<br/>or → user/profile.md<br/>Learned Context"]
-    D --> A
-```
+The Signal Detector tags each turn for **tone-class signals** (corrections like "be shorter", "no preamble") and **attribute-class signals** (durable facts like "I'm allergic to nuts"). The Evening Review interprets the raw signals on the next pass:
 
-The Signal Detector (`packages/daemon/src/core/signal-detector.ts`) appends raw entries to `user/profile.md`'s `## Raw Signals` section via the Context File API. The Evening Review (`routine.evening_review`, default `medium` tier — Sonnet) interprets the raw signals on the next pass and clears them.
+- **Tone** → updates the `character` runtime-config field, applied to every backend's system prompt.
+- **Attribute** → updates `user/profile.md` Learned Context.
 
-**Tone-class signals** (corrections like "be shorter", "no preamble") → updates the `character` runtime-config field, applied to the system prompt across all backends.
-**Attribute-class signals** (durable facts like "I'm allergic to nuts", "my partner's name is Mei") → updates `user/profile.md` Learned Context.
-
-The Evening Review enforces the line between these: a signal like "I prefer concise replies" is *tone* (goes to character). A signal like "my flight is on Friday" is *attribute* (goes to profile).
+The line between the two is enforced server-side: a signal like "I prefer concise replies" is *tone* (goes to character). A signal like "my flight is on Friday" is *attribute* (goes to profile).
 
 ---
 
@@ -301,13 +296,14 @@ Aitne has a dedicated set of management skills — `management-task-register`, `
 | *"Switch to Codex for code reviews from now on"* | Updates `process_backend_config` mapping |
 
 Behind the scenes, the agent maps natural language to one of:
-- `PATCH /api/config` — runtime config (~80 keys)
+
+- `PATCH /api/config` — runtime config (~100 keys)
 - `PUT /api/context/*` — Markdown memory (locked, validated, snapshotted)
 - `DELETE /api/schedule/:id` / `POST /api/recurring-schedules` — scheduling
 - `PATCH /api/config/character` — tone
-- `POST /api/triggers` — cron-driven custom routines (automation triggers)
+- `POST /api/triggers` — cron-driven custom routines
 
-Every change is journaled to `agent_actions` with `source_kind=user_directive`. You can audit what was changed and when via `aitne audit`.
+Every change is journaled to `agent_actions` with `source_kind=user_directive`. Audit anything you don't recognize via `aitne audit`.
 
 ---
 
@@ -346,8 +342,6 @@ flowchart LR
     style RUN fill:#fae8ff,stroke:#a855f7
 ```
 
-### What this means in practice
-
 | You already have… | In Aitne it just works |
 |---|---|
 | A Claude Code MCP server connected to your company's internal API | Every Aitne session can use it. No code changes. |
@@ -356,19 +350,7 @@ flowchart LR
 | Your Gemini auth + project preferences | Inherited automatically. |
 | Skills you wrote for `~/.claude/skills/` | Imported on demand. |
 
-### The growth flywheel
-
-```
-Claude Code / Codex / Gemini ships a new feature
-         ↓
-New connectors, plugins, MCP servers, skills appear
-         ↓
-The backend Aitne controls gets more capable
-         ↓
-You get those capabilities in Aitne — with zero config change
-```
-
-Aitne is a *proxy* over the AI runtimes you already use. As they grow, you grow.
+**The growth flywheel:** Claude Code / Codex / Gemini ship a new connector → Aitne picks it up on next session → you get it for free.
 
 ---
 
@@ -390,8 +372,8 @@ flowchart TB
 
     subgraph SVC["🔌 Connected apps"]
         direction TB
-        SV1["📅 Google Calendar"]
-        SV2["📧 Gmail · Outlook · Yahoo · iCloud · IMAP"]
+        SV1["📅 Google Calendar · Outlook Calendar"]
+        SV2["📧 Gmail · Outlook · Yahoo · iCloud"]
         SV3["📓 Notion · Obsidian"]
         SV4["📦 GitHub · local Git"]
         SV5["🗺️ Google Maps"]
@@ -427,11 +409,12 @@ flowchart TB
 | 💬 **Reactive on every chat platform** | Slack · Telegram · Discord · WhatsApp · Web dashboard |
 | 🧠 **Multi-backend brain** | Claude (Opus 4.7 / Sonnet 4.6 / Haiku 4.5) · Codex CLI · Gemini CLI |
 | 📝 **MD-centric memory** | Plain Markdown you own — `today.md` · `roadmap.md` · `projects/*` · `daily/` · `weekly/` · `monthly/` |
-| 🔌 **23 built-in skills** | Calendar, mail, Notion, Obsidian, schedule, roadmap, receipts, travel, reading, … |
-| 🛡️ **Triple safety model** | SDK permission hooks · daemon API risk tiers · absolute-block layer |
+| 🔌 **23 built-in skills** | Calendar, mail, Notion, Obsidian, schedule, roadmap, receipts, travel, reading, voice, … |
+| 🔁 **4-mode integration framework** | `direct` (daemon polls) · `delegated` (backend's connector) · `native` (main backend MCP on demand) · `disabled` |
+| 🛡️ **Four-layer safety** | SDK allowlist · PreToolUse hooks · daemon API risk tiers · absolute-block layer that holds even in Allow mode |
 | 🪪 **Local-first & private** | Binds to `127.0.0.1`. No telemetry. Secrets in OS Keychain. Zero cloud state. |
 | 🧰 **Production tooling** | Background daemon · `aitne doctor` · cost analytics · auth health monitor with auto-recovery |
-| 🌍 **Speak any language** | The LLM handles it — talk to Aitne in Japanese, English, German, anything. |
+| 🌍 **Speak any language** | The LLM handles it — talk to Aitne in Japanese, English, German, anything. `primaryLanguage` config nudges its outputs too. |
 
 ---
 
@@ -463,7 +446,7 @@ flowchart TB
 npm install -g @aitne-sh/aitne@latest
 ```
 
-This installs the `aitne` CLI globally with the daemon, dashboard, and built-in agent assets.
+Installs the `aitne` CLI globally with the daemon, dashboard, and built-in agent assets.
 
 ### 2. Bring at least one AI backend
 
@@ -497,11 +480,19 @@ aitne status
 ```
 
 ```
-Aitne  v0.1.1
-  Daemon     running  pid 12345  uptime 0:00:12  port 8321
-  Dashboard  running  pid 12346  uptime 0:00:11  port 3000
-  Today's spend  $0.04
-  Next scheduled  routine.morning_routine  in 6h 12m
+Aitne status:
+
+  Daemon:      running (PID 12345)
+    Uptime:    1m 23s
+    API:       http://127.0.0.1:8321
+    Platforms: slack, dashboard
+    Backends:  claude
+  Dashboard:   running (PID 12346)
+    URL:       http://localhost:3000
+
+  Last action: 2026-05-11T07:30:14Z  (routine.morning_routine)
+  Today:       6 action(s)  ·  $0.043 spent
+  Next:        2026-05-11T18:00:00Z  routine.evening_review
 ```
 
 That's it. Open `http://localhost:3000` and finish the wizard.
@@ -533,7 +524,7 @@ npm install -g @aitne-sh/aitne@latest
 ```bash
 npm install -g @anthropic-ai/claude-code
 claude --version
-claude auth login --claudeai      # uses your Claude subscription
+claude auth login                 # uses your Claude subscription
 ```
 
 #### OpenAI Codex CLI
@@ -552,7 +543,7 @@ gemini --version
 # OAuth handled automatically on first use
 ```
 
-You can install all three. Per-process tier routing lets you mix-and-match: Sonnet for hourly checks, Opus for the morning routine, Codex for code-heavy tasks, Gemini for free-tier summarization.
+You can install all three. Per-process tier routing lets you mix-and-match: Sonnet for routines and DMs, Haiku for delegated/polling, Codex for code-heavy work, Gemini for free-tier headroom — and Opus only on the keys that genuinely need it (first-day morning routine, knowledge import, opt-in heavy task mode).
 
 ### Step 3 — Launch and run the wizard
 
@@ -560,23 +551,27 @@ You can install all three. Per-process tier routing lets you mix-and-match: Sonn
 aitne start
 ```
 
-Aitne builds (if needed), launches both processes, and opens `http://localhost:3000/setup`. The wizard walks through:
-
-1. **Backend** — default backend (Claude / Codex / Gemini)
-2. **Vault mode** — plain (`~/.personal-agent/context/`) or your existing Obsidian vault
-3. **Execution mode** — *Safe* (strict) or *Allow* (relaxed for plugins/MCP). Absolute-block layer holds in both.
-4. **Google** — OAuth for Gmail and Calendar (optional)
-5. **Messaging platforms** — Slack, Telegram, Discord, WhatsApp (optional)
-6. **Integrations** — `direct` / `delegated` / `disabled` per service
-7. **Character** — free-form 1,000-char tone & style description
+Aitne builds (if needed), launches both processes, and opens `http://localhost:3000/setup`. The wizard walks 9 screens:
 
-After the wizard, every option has a settings page in the sidebar.
+| # | Step | What it asks |
+|---|---|---|
+| 1 | **Basics** | Agent display name + primary language |
+| 2 | **Vault** | Plain (`~/.personal-agent/context/`) or your existing Obsidian vault path |
+| 3 | **AI Backend** | Pick the main backend (Claude / Codex / Gemini), authenticate (API key or CLI login), choose execution mode (Safe vs. Allow) |
+| 4 | **Mail** | Gmail (OAuth) · Outlook (OAuth) · Yahoo / iCloud (IMAP + app password) — each card sets `direct` / `delegated` / `native` mode where supported |
+| 5 | **Calendar** | Google Calendar (OAuth) · Outlook Calendar (OAuth or user-managed MCP) — same mode picker per card |
+| 6 | **Note** | Notion (OAuth) and an optional secondary Obsidian vault path to watch |
+| 7 | **Messaging** | Slack · Telegram · Discord · WhatsApp pairing |
+| 8 | **Rules** | A short conversation with the agent — it interviews you and stages a `character` block + a `management-rules` block, which you confirm before saving |
+| 9 | **Done** | Summary; agent runs its first `setup` session |
+
+Required steps: Basics, Vault, AI Backend, Rules. Everything else exposes a **Skip** button — you can come back later from `/connections/*` or `/settings/*`.
 
 ### Step 4 — Verify
 
 ```bash
-aitne status         # PIDs, uptime, integrations, today's spend
-aitne doctor         # 8-point install diagnostic
+aitne status         # PIDs, uptime, connected platforms, backends, today's spend
+aitne doctor         # install diagnostic
 aitne logs -f        # tail the daemon log
 ```
 
@@ -590,8 +585,8 @@ aitne logs -f        # tail the daemon log
 |---|---|
 | `aitne start [--no-open]` | Build if stale, launch daemon + dashboard in background. Opens browser unless `--no-open`. |
 | `aitne stop` | Graceful shutdown (SIGTERM → SIGKILL after 10 s). |
-| `aitne restart [--clean-context]` | Stop then start. `--clean-context` wipes `context/` after a tarball backup. |
-| `aitne status` | PIDs, uptime, integrations, today's spend, last action, next scheduled item. |
+| `aitne restart [--no-open] [--clean-context]` | Stop then start. `--clean-context` wipes `context/` after a tarball backup. |
+| `aitne status` | PIDs, uptime, connected platforms, backends, today's spend, last action, next scheduled item. |
 | `aitne logs [-f] [-n N] [-d]` | Tail the daemon log. `-d` = dashboard log. `-f` = follow. `-n N` = last N lines. |
 | `aitne dev` | Foreground mode (full stdio, useful for debugging). |
 | `aitne build` | Force a build (skip the mtime gate). |
@@ -602,7 +597,7 @@ aitne logs -f        # tail the daemon log
 |---|---|
 | `aitne setup` | Re-open the dashboard `/setup` wizard. Auto-starts the daemon if needed. |
 | `aitne open` | Open the dashboard in your browser. |
-| `aitne doctor` | 8-point install diagnostic. |
+| `aitne doctor [--json]` | 9 install checks; the repository-drift check expands into one extra row per repo whose `origin` no longer matches its registered slug. |
 | `aitne audit [flags]` | Read the agent action log directly from SQLite. |
 | `aitne version [--json]` | Version, Node, install path, last build time. |
 | `aitne update [--check]` | Print the npm command to upgrade. `--check` makes one network call. |
@@ -627,10 +622,11 @@ aitne logs -f        # tail the daemon log
 2. Daemon port (`PA_API_PORT`, default 8321) is bindable
 3. Dashboard port (`PA_DASHBOARD_PORT`, default 3000) is bindable
 4. OS secret store usable (`security` / `secret-tool` / `PA_MASTER_PASSWORD`)
-5. At least one backend CLI (`claude`, `codex`, or `gemini`) responds to `--version`
+5. At least one backend CLI (`claude`, `codex`, or `gemini`) responds
 6. `~/.personal-agent` exists and is writable
 7. `better-sqlite3` native binding loads
 8. `agent-assets/skills/` is reachable
+9. Repository drift — one row per paired-local + GitHub repo whose `origin` no longer matches the registered `<owner>/<repo>`
 
 ---
 
@@ -650,7 +646,7 @@ flowchart TB
     subgraph DAEMON["⚙️ Aitne daemon (Hono :8321)"]
         direction TB
         EB[EventBus<br/>priority heap]
-        DI[Dispatcher<br/>semaphore: 2 reactive +<br/>3 autonomous]
+        DI[Dispatcher<br/>semaphores: 2 reactive +<br/>3 autonomous]
         BR[BackendRouter<br/>ProcessKey → tier → backend<br/>+ fallback]
         AC[Agent Core<br/>IAgentCore interface]
         OB[Observers<br/>Git · GitHub · Obsidian ·<br/>Notion · Calendar · Mail]
@@ -690,14 +686,14 @@ flowchart TB
 ### Two execution paths
 
 **Reactive path** — owner DMs/mentions, cron routines, calendar approach events, scheduled tasks
-→ Event source → EventBus → Dispatcher → BackendRouter → Agent → output to user
+→ Event source → EventBus → Dispatcher → BackendRouter → Agent → output to user.
 
 **Polling path** — Obsidian, Git, GitHub, Notion, Calendar, Mail change detection
 → Observer → `observations` table (UPSERT, with `actor='user'|'agent'`)
 … time passes …
-→ Hourly cron → Dispatcher.triggerHourlyCheck → agent reads pending → updates today.md / roadmap.md → notifies if needed
+→ Hourly cron → Stage 2 lite-tier triage → Stage 3 full `routine.hourly_check` (if escalated) → agent reads pending → updates `today.md` / `roadmap.md` → notifies if needed.
 
-The `AgentWriteTracker` prevents agent → observer → agent loops by tagging the agent's own writes so the hourly check filters them out.
+`AgentWriteTracker` prevents agent → observer → agent loops by tagging the agent's own writes so the hourly check filters them out. A pre-pass `routine.fetch_window` session fans out per-account fetches into the `observations` table before each routine runs.
 
 ### Repo layout
 
@@ -709,7 +705,7 @@ packages/
 
 agent-assets/    # Read by the daemon at session-init time
 ├── agent-profiles/  # Persona MD per backend (CLAUDE.md / AGENTS.md / GEMINI.md)
-├── skills/          # 23 built-in skills (Context API, Calendar, Mail, …)
+├── skills/          # 23 built-in skills (context, calendar, mail, notion, …)
 ├── task-flows/      # Per-event prompt templates (one per event type)
 └── templates/       # Scaffold MD copied to context/ on first run
 
@@ -740,9 +736,9 @@ Everything the agent writes lives under `PA_DATA_DIR` (default `~/.personal-agen
 │   ├── routines/              # Per-cadence checklist rulebooks
 │   ├── dossiers/              # Carry-forward state per routine
 │   ├── projects/              # One file per active project + Obsidian Bases view
-│   ├── daily/<YYYY-MM-DD>.md  # Synthesized daily journal (90 d retention)
-│   ├── weekly/<YYYY-Www>.md   # Weekly review (1 yr)
-│   ├── monthly/<YYYY-MM>.md   # Monthly review (3 yr)
+│   ├── daily/<YYYY-MM-DD>.md  # Synthesized daily journal (persistent by design)
+│   ├── weekly/<YYYY-Www>.md   # Weekly review (1 yr file retention)
+│   ├── monthly/<YYYY-MM>.md   # Monthly review (persistent by design)
 │   ├── inbox/                 # Optional paste bucket
 │   └── agent/
 │       ├── journal.md         # Private agent self-reflection
@@ -756,13 +752,9 @@ Everything the agent writes lives under `PA_DATA_DIR` (default `~/.personal-agen
 └── run/                       # PID files for daemon + dashboard
 ```
 
-### Always-injected context
-
-Every session starts with `user/profile.md` + `rules/management.md` + `today.md` injected. The agent never has to "search for context."
-
 ### Write chokepoint
 
-Context-MD writes go through `curl http://localhost:8321/api/context/<path>` rather than the SDK's `Edit`/`Write` tools. This is enforced by skill instructions plus the absolute-block path globs that deny SDK writes to secret paths (`.env`, `~/.ssh`, `~/.aws`, `~/.personal-agent/secrets/**`, …). Routing context writes through the daemon API gives a single chokepoint for locks (`today.md` write lock), frontmatter validation, and snapshots (30-day `md_file_snapshots` retention).
+Context-MD writes go through `curl http://localhost:8321/api/context/<path>` rather than the SDK's `Edit`/`Write` tools on those paths. This is enforced by **skill instructions** (the bundled skills only ever invoke the daemon API) plus the **absolute-block path globs** that hard-deny SDK writes to secret paths (`.env`, `~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.personal-agent/secrets/**`, …). Routing context writes through the daemon API gives one chokepoint for locks (`today.md` write lock), frontmatter validation, and snapshots (30-day `md_file_snapshots` retention).
 
 ---
 
@@ -786,8 +778,9 @@ Every kind of work has a `ProcessKey` mapped to a tier (`lite` / `medium` / `hig
 | `routine.morning_routine` | medium | Daily plan generation — the highest-value recurring process |
 | `routine.evening_review` | medium | Today wrap-up |
 | `routine.weekly_review`, `routine.monthly_review` | medium | Cadence summaries |
-| `routine.hourly_check` | medium | Observation aggregation |
-| `routine.hourly_check.triage` | lite | Stage 2 triage gate (escalate vs log-only) |
+| `routine.hourly_check` | medium | Stage 3 observation aggregation |
+| `routine.hourly_check.triage` | lite | Stage 2 escalate-vs-log-only gate |
+| `routine.fetch_window` | lite | Pre-pass fan-out fetcher for routines |
 | `message.dm`, `message.mention` | medium | DM and channel response |
 | `dashboard.chat` | medium | Web chat |
 | `dashboard.docs_qa` | medium (tier-locked) | Docs panel — never burns Opus quota |
@@ -796,9 +789,10 @@ Every kind of work has a `ProcessKey` mapped to a tier (`lite` / `medium` / `hig
 | `calendar.change`, `gmail_classify` | lite | Polling-derived events |
 | `git.*`, `github.*` (event triage) | lite | Git/GitHub event triage |
 | `delegated_task` | lite | Delegated subprocess task mode |
+| `delegated_task_heavy` | high | Opt-in destructive-write task mode |
 | `observation.summarize` | lite | Per-observation classification |
 
-Configure each ProcessKey's backend & tier from the dashboard `/settings/models` page. The router fails over to a fallback backend automatically on `BackendQuotaError` or `BackendDecisiveFailure`.
+Configure each ProcessKey's backend & tier from the dashboard `/settings/models` page. The router fails over to a fallback backend automatically on `BackendQuotaError` or `BackendDecisiveFailure`, re-materializing the fallback's instruction file + skill directories into the session workdir.
 
 ---
 
@@ -818,19 +812,18 @@ Configure each ProcessKey's backend & tier from the dashboard `/settings/models`
 
 | Provider | Auth | Features |
 |---|---|---|
-| **Gmail** | `googleapis` OAuth2 | Read · send · drafts · labels · IMAP IDLE · classifier |
+| **Gmail** | `googleapis` OAuth2 | Read · send · drafts · labels · IMAP IDLE · classifier · attachment extraction |
 | **Outlook** | `@azure/msal-node` Graph API | Read · send · drafts · folders |
-| **Yahoo** | IMAP + OAuth2 | Read · send |
-| **iCloud** | IMAP + app password | Read · send |
-| **Generic IMAP** | username + password | Read |
+| **Yahoo** | IMAP + app password | Read · send · IMAP IDLE |
+| **iCloud** | IMAP + app password | Read · send · IMAP IDLE |
 
-Local FTS5 full-text search runs across **every** account via `GET /api/mail/search?q=...`.
+Local FTS5 full-text search runs across **every** account via `GET /api/mail/search?q=...`. The classifier (`mail-classifier`) tags messages across all providers; the Gmail-specific classifier auto-applies labels.
 
 ### Knowledge & docs
 
-- **Obsidian** — read directly via `Read`; write via the official Obsidian CLI 1.12+ (`obsidian create`, `obsidian append`, `obsidian daily:append`, …); chokidar watches the vault for user edits
+- **Obsidian** — read directly via `Read`; write via the official Obsidian CLI (`obsidian create`, `obsidian append`, `obsidian daily:append`, …); `chokidar` watches the vault for user edits
 - **Notion** — `@notionhq/client` REST API; full page + database CRUD
-- **Custom MCP servers** — register via `/api/mcp/servers`, materialized into the per-session workdir so backends use them transparently
+- **Custom MCP servers** — register via `/api/mcp/servers`; materialized into the per-session workdir so backends use them transparently
 
 ### Code
 
@@ -839,68 +832,76 @@ Local FTS5 full-text search runs across **every** account via `GET /api/mail/sea
 
 ### Calendar & travel
 
-- **Google Calendar** — full event CRUD, freebusy, calendar list, 15-min approaching reminders
+- **Google Calendar** — `googleapis` OAuth2; full event CRUD, freebusy, calendar list, 15-min approaching reminders
+- **Outlook Calendar** — Microsoft Graph via `@azure/msal-node` in direct mode, or user-managed MCP in delegated / native modes
+- **iCloud Calendar** — CalDAV via `tsdav` (Apple Calendar service; reachable from any platform)
 - **Google Maps** — Directions API for travel-time estimation tied to calendar events
 
 ### Lifestyle
 
-- **Receipts** — auto-extracts PDF/image attachments from Gmail with category detection
+- **Receipts** — auto-extracts PDF/image attachments from mail with category detection
 - **Travel bookings** — auto-extracts flight, hotel, restaurant, train confirmations
 - **Reading** — Kindle My Clippings importer; reading-taste profile; weekly book recommendations
+- **Voice** — opt-in Whisper transcription (`ffmpeg-static` + `@huggingface/transformers`) runs locally on voice attachments. Install via `POST /api/voice/install`.
 
 ### Integration delegation modes
 
-Each integration runs in one of three modes:
+Each integration runs in one of **four** modes:
 
-| Mode | Auth held by | Setup cost | Capabilities |
-|---|---|---|---|
-| **`direct`** | Daemon (OAuth in OS Keychain) | 5–6 vendor-console steps | Full feature set |
-| **`delegated`** | Backend's connector | None | Reduced (whatever the connector exposes) |
-| **`disabled`** | — | — | Off |
+| Mode | Auth held by | Polling? | Setup cost | Capabilities |
+|---|---|---|---|---|
+| **`direct`** | Daemon (OAuth in OS Keychain) | Daemon poller | 5–6 vendor-console steps | Full feature set |
+| **`delegated`** | Main backend's connector | Cron `delegated-sync-worker` (per-cadence opt-in) | None — backend already authed | Reduced (whatever the connector exposes) |
+| **`native`** | Main backend's connector | No daemon polling — agent reaches the integration in-turn via MCP | None | On-demand only; observations posted via `/api/observations` |
+| **`disabled`** | — | No | — | Off |
+
+`delegated` runs the backend's connector on a cron cadence (default-off, opt-in per cadence). `native` skips polling entirely and routes calls in-band during DMs / hourly checks. Outlook Mail and Outlook Calendar are *user-managed-connector* native: install the MCP yourself, Aitne synthesises a probe pass.
 
-Delegated mode lets you skip OAuth setup entirely if your backend already has a connector for the service. Aitne handles `same-backend` (no daemon hop) and `cross-backend` (daemon spawns a one-shot subprocess of the delegated backend) transparently.
+Every mode change goes through `POST /api/integrations/:key/probe` and the per-key flip lock — a live capability check is mandatory before flipping to `delegated` or `native`.
 
 ---
 
 ## Safety model
 
-Aitne uses three independent safety layers that hold in **every** execution mode:
+Aitne stacks **four** independent safety layers. The bottom layer holds even when the upper layers are widened by the user.
 
 ### Layer 1 — SDK permission model
 
 ```typescript
-// strict (Safe) mode — packages/daemon/src/core/backends/claude-code-core.ts
+// Safe (strict) mode — claude-tool-collection.ts:CLAUDE_DEFAULT_ALLOWED_TOOLS
 permissionMode: "dontAsk"
 allowedTools:    ["Read", "Glob", "Grep", "Write", "Edit", "Skill",
                   "Bash(curl *)", "Bash(git *)", "Bash(jq *)"]
-disallowedTools: DEFAULT_DISALLOWED_TOOLS  // ALWAYS_DISALLOWED + chmod/chown/git --force/reset --hard/clean
-// Write/Edit on secret paths (.env, ~/.ssh, ~/.aws, ~/.personal-agent/secrets, …)
-// are blocked by path-glob entries in the absolute-block layer.
+disallowedTools: ALWAYS_DISALLOWED_TOOLS + dashboard overrides
 ```
 
-### Layer 1.5 — PreToolUse hooks
+Allow mode swaps to `permissionMode: "bypassPermissions"` but the absolute-block layer below still applies.
+
+### Layer 2 — PreToolUse hooks (Claude, Safe mode)
 
-Every `curl` invocation has its destination URL parsed and checked. Anything that isn't `http://localhost:8321` is denied. Variable expansion (`$URL`) is resolved before the check.
+In Safe mode, every `Bash(curl ...)` invocation is parsed: the hostname must be `localhost` or `127.0.0.1` and the port must match the daemon's `apiPort`. Connection-override flags (`--connect-to`, `--resolve`, `--proxy`, `-x`, `--socks`, `-K`) are also rejected. A parallel `jq` hook blocks `--rawfile` / env-leak filters. In Allow mode the curl/jq pair is skipped, but the absolute-block hook (below) and the context-write attribution hook still run. Vault writes are attributed to the agent via `AgentWriteTracker` so they don't loop back as observations.
 
-### Layer 2 — Daemon API risk tiers
+### Layer 3 — Daemon API risk tiers
 
 | Tier | Examples | Auth required |
 |---|---|---|
-| **Autonomous** | `GET /api/context/*`, `POST /api/notify`, `POST /api/schedule` | None (localhost only) |
+| **Autonomous** | `GET /api/context/*`, `POST /api/notify`, `POST /api/schedule`, `POST /api/observations` | None (localhost only) |
 | **ReadSensitive** | `GET /api/observations`, `GET /api/calendar/events`, `GET /api/mail/search` | `X-Read-Token` or Bearer |
-| **Approve** | `PATCH /api/config`, `POST /api/setup/*`, `POST /api/system/factory-reset`, `POST /api/triggers`, `/api/repositories`, `/api/mcp/servers` | Bearer |
+| **Approve** | `PATCH /api/config`, `POST /api/setup/*`, `POST /api/system/factory-reset`, `POST /api/triggers`, `/api/repositories`, `/api/mcp/servers`, `/api/integrations` | Bearer |
 
-### Absolute-block layer (`ALWAYS_DISALLOWED_TOOLS`)
+### Layer 4 — Absolute-block layer (`ALWAYS_DISALLOWED_TOOLS`)
 
-Hard-blocked in **both Safe and Allow** modes. Even `bypassPermissions` cannot widen past this:
+Hard-blocked in **both Safe and Allow** modes. `bypassPermissions` and `allowedToolsOverride` cannot widen past this:
 
-- Recursive delete: `rm -rf *`, `rm -r *`
+- Recursive delete: `rm -rf *`, `rm -r *`, `rm --recursive*` (every flag-bundle variant)
 - Privilege escalation: `sudo *`, `doas *`, `su *`
 - Pipe-to-shell RCE: `curl * | sh`, `wget * | bash`, `bash <(...)`
 - Platform secret CLI: `security *`, `secret-tool *`, `cmdkey *`
 - Secret file reads/writes: `.env`, `~/.ssh/**`, `~/.gnupg/**`, `~/.aws/**`, `~/.config/gcloud/**`
 - Daemon-managed secrets: `~/.personal-agent/secrets/**`, `~/.personal-agent/whatsapp/auth/**`
 
+Every blocked attempt lands in `agent_actions` with `action_type='blocked_absolute'`.
+
 ### Other guarantees
 
 - **Localhost-only API** — daemon binds to `127.0.0.1` only
@@ -925,19 +926,19 @@ Hard-blocked in **both Safe and Allow** modes. Even `bypassPermissions` cannot w
 | `autonomousDailyCostCapUsd` | null (alert-only) | yes |
 | `autonomousMonthlyCostCapUsd` | null (alert-only) | yes |
 | Per-ProcessKey `maxBudgetUsd` (in `process_backend_config`) | per-row, set from `/settings/models` | yes |
-| `delegated_task` `maxBudgetUsd` hard cap | $0.50 | no (compile-time) |
+| `delegated_task` hard caps | `maxToolCalls=15` · `maxBudgetUsd=$0.50` · `timeoutMs=300_000` | no (compile-time) |
 
 ### Typical day's spend
 
 ```
-04:00  Morning Routine  (Opus / Sonnet)   ~$0.15
-07:00  Morning Briefing (Sonnet)          ~$0.03
-09:00  Hourly Check     (Sonnet)          ~$0.05
-12:00  Hourly Check     (Sonnet)          ~$0.03
-12:55  DM response      (Opus)            ~$0.10
-18:00  Evening Review   (Sonnet)          ~$0.15
+04:00  Morning Routine  (Sonnet)            ~$0.15
+07:00  Morning Briefing (Sonnet)            ~$0.03
+09:00  Hourly Check     (Sonnet)            ~$0.05
+12:00  Hourly Check     (Sonnet)            ~$0.03
+12:55  DM response      (Sonnet)            ~$0.08
+18:00  Evening Review   (Sonnet)            ~$0.15
 ─────────────────────────────────────────────────
-Total                                     ~$0.51
+Total                                       ~$0.49
 ```
 
 If you're on a Claude / Codex / Gemini subscription, none of this hits a metered API key — it consumes your subscription quota directly. Quota exhaustion is detected, dedupe-notified once per 2-hour window, and the next hourly tick retries automatically.
@@ -958,33 +959,31 @@ PA_DASHBOARD_PORT=3000
 PA_LOG_LEVEL=info                 # trace | debug | info | warn | error
 ```
 
-### Pre-seeding messaging via env (optional)
+### Pre-seeding identifiers via env (optional)
+
+Bot **tokens and OAuth credentials** always live in the OS keychain — they're never read from environment variables. The wizard's Messaging step (or `/connections/*`) is the single entry point. The few non-secret identifiers you *can* pre-seed for fully scripted installs:
 
 ```bash
-# Slack
-PA_SLACK_BOT_TOKEN=xoxb-...
-PA_SLACK_APP_TOKEN=xapp-...
+# Owner identifiers (non-secret — let messaging adapters know who you are)
 PA_SLACK_OWNER_USER_ID=U...
-
-# Telegram
-PA_TELEGRAM_BOT_TOKEN=...
 PA_TELEGRAM_OWNER_CHAT_ID=...
-
-# Discord
-PA_DISCORD_BOT_TOKEN=...
 PA_DISCORD_OWNER_USER_ID=...
+PA_WHATSAPP_ENABLED=true
+PA_WHATSAPP_OWNER_PHONE=...
+
+# Obsidian vault paths
+PA_PRIMARY_VAULT_PATH=~/Documents/MyVault
+PA_EXTERNAL_OBSIDIAN_VAULT_PATH=~/Documents/SecondaryVault
 
-# Local paths
-PA_OBSIDIAN_VAULT_PATH=~/Documents/MyVault
-PA_GIT_REPOS='["/path/to/repo1"]'
-PA_GITHUB_REPOS='["owner/repo"]'
+# Notion default database routing
+PA_NOTION_DATABASE_IDS='{"tasks":"abc...","notes":"def..."}'
 ```
 
-Google services (Gmail, Calendar) and Notion are connected via OAuth from the dashboard `/connections` page after first launch — no env vars required.
+Everything else — bot tokens, OAuth refresh tokens, Notion API key, GitHub token, Google Maps key, Apple Calendar credentials — is set from the dashboard `/connections` page (or via the setup wizard) and lives in the keychain.
 
 ### Runtime settings
 
-The dashboard `/settings` tree exposes ~80 runtime keys. The headline ones:
+The dashboard `/settings` tree exposes ~100 runtime keys. The headline ones:
 
 - **Schedule** — `timezone`, `dayBoundaryHour`, hourly check window & interval, cron schedules
 - **Notifications** — `quietHoursStart/End`, `maxNotificationsPerHour`, `maxNotificationsPerDay`, `batchIntervalMinutes`
@@ -994,6 +993,9 @@ The dashboard `/settings` tree exposes ~80 runtime keys. The headline ones:
 - **Cost** — daily / monthly soft caps with 80% and 100% alerts
 - **Mail** — provider list, poll interval, IMAP IDLE on/off
 - **Character** — 1,000-char free-form tone description
+- **Language** — `primaryLanguage` nudges output language for DMs, knowledge, and vault writes
+- **Voice** — `voiceTranscriptionEnabled`, `voiceTranscriptionModel`, `voiceTranscriptionPrimaryLanguage`
+- **Delegated task mode** — kill switch, per-day quota, heavy-tier opt-in, cache / pool / structured-output toggles
 
 …or just DM the agent: *"Don't run hourly checks on weekends."*
 
@@ -1044,7 +1046,7 @@ The build did not complete. Run `aitne build` and check for TypeScript errors.
 
 ### Port already in use
 
-Change `PA_API_PORT` in `.env`. To find the conflicting process:
+Change `PA_API_PORT` (or `PA_DASHBOARD_PORT`) in `.env`. To find the conflicting process:
 
 ```bash
 # macOS / Linux
@@ -1063,11 +1065,11 @@ npm config get prefix
 
 ### SQLite errors on startup
 
-The DB can be reset safely — your Markdown memory in `context/` is untouched:
+The DB can be reset safely — your Markdown memory in `context/` is untouched. The `*` clears the WAL + SHM companion files:
 
 ```bash
 aitne stop
-rm ~/.personal-agent/data/personal_agent.db*           # macOS / Linux
+rm ~/.personal-agent/data/personal_agent.db*
 # Remove-Item "$env:USERPROFILE\.personal-agent\data\personal_agent.db*"  # Windows
 aitne start
 ```
@@ -1076,7 +1078,7 @@ aitne start
 
 ```bash
 aitne doctor                           # confirms which backend failed
-claude auth login --claudeai           # re-auth Claude
+claude auth login                      # re-auth Claude
 codex login --device-auth              # re-auth Codex
 # Gemini re-auth happens automatically via the dashboard banner
 ```
@@ -1110,9 +1112,10 @@ pnpm clean          # remove all build artifacts and node_modules
 
 | Layer | Stack |
 |---|---|
-| **Daemon** | Node.js 22 · Hono · `@anthropic-ai/claude-agent-sdk` · `@slack/bolt` · `telegraf` · `discord.js` · `baileys` · `googleapis` · `@notionhq/client` · `@octokit/rest` · `chokidar` · `node-cron` · `heap-js` · `pino` · `zod` |
+| **Daemon** | Node.js 22 · Hono · `@anthropic-ai/claude-agent-sdk` · `@slack/bolt` · `telegraf` · `discord.js` · `@whiskeysockets/baileys` · `googleapis` · `@azure/msal-node` · `@notionhq/client` · `@octokit/rest` · `tsdav` · `chokidar` · `node-cron` · `heap-js` · `pino` · `zod` |
 | **Storage** | `better-sqlite3` (WAL + FTS5 trigram) · OS Keychain · plain Markdown |
 | **Dashboard** | Next.js 16 (App Router) · React 19 · Tailwind CSS 4 · shadcn/ui · TanStack Query · Recharts · Monaco Editor |
+| **Voice** | `ffmpeg-static` · `@huggingface/transformers` (Whisper, opt-in) |
 | **Monorepo** | pnpm 10.x workspaces · Turborepo · TypeScript 5.8 · Vitest 3 |
 
 ### Conventions
@@ -1131,10 +1134,11 @@ pnpm clean          # remove all build artifacts and node_modules
 | Change event routing | `src/core/dispatcher.ts` + `src/core/event-bus.ts` |
 | Add a backend or change tier mapping | `packages/shared/src/process-key.ts` + `src/core/backends/backend-router.ts` |
 | Add an API route | `src/api/routes/` + register in `src/api/server.ts` |
-| Add an integration | `src/services/<name>/` + `src/observers/` (if polling) + `src/api/routes/` |
+| Add an integration | `packages/shared/src/integrations.ts` (registry) + `src/services/<name>/` + optional `src/observers/` |
 | Edit a built-in skill | `agent-assets/skills/<slug>/SKILL.md` |
 | Edit an event task flow | `agent-assets/task-flows/<eventType>.md` |
 | Change risk classification | `src/safety/risk-classifier.ts` |
+| Change the absolute-block layer | `src/safety/always-disallowed.ts` |
 | Change auth health / recovery | `src/core/backends/auth-health-monitor.ts` + `auth-recovery.ts` |
 
 ---
@@ -1154,7 +1158,7 @@ In your OS-native credential store (macOS Keychain / libsecret / DPAPI). Never i
 Yes — Claude Code, OpenAI Codex, and Google Gemini CLI are all supported. Pick one or all three. Per-process tier routing lets you mix-and-match.
 
 **Do I need an API key?**
-You don't need a metered API key — Aitne uses your subscription quota via the official CLIs (`claude auth login`, `codex login`, `gemini`). If you'd rather pay-as-you-go, supply `ANTHROPIC_API_KEY` / `OPENAI_API_KEY` / `GEMINI_API_KEY` in the wizard.
+No metered API key required — Aitne uses your subscription quota via the official CLIs (`claude auth login`, `codex login`, `gemini`). If you'd rather pay-as-you-go, supply `ANTHROPIC_API_KEY` / `OPENAI_API_KEY` / `GEMINI_API_KEY` in the wizard.
 
 **Can I edit the agent's memory directly?**
 Yes — that's the entire point. Open `~/.personal-agent/context/today.md` in your editor, change anything, save. The agent picks up your edits on the next routine. Any edit is *just text in a file* — no proprietary format, no migration headaches if you uninstall.
@@ -1172,7 +1176,7 @@ Yes. Aitne reads your `~/.claude/`, `~/.codex/`, `~/.gemini/` configs on session
 The AI backends and reactive messaging need internet (to hit those services). The daemon, dashboard, observers (Git, Obsidian local), and Markdown memory are entirely offline.
 
 **Does it support languages other than English?**
-Yes. Talk to it in your native language — Japanese, German, Spanish, anything. The LLM handles it. The agent's internal Markdown memory is multilingual; what's stored is what you say.
+Yes. Talk to it in your native language — Japanese, German, Spanish, anything. The LLM handles it; the `primaryLanguage` setting nudges DM / knowledge / vault outputs into that language too. Implementation code remains English-only.
 
 **Is this for my whole team?**
 No — Aitne is **single-owner by design**. Group chats and multi-user channels are filtered at the adapter layer. If you want a team agent, run one Aitne per teammate.